ERROR failed to catalog: unable to decode sbom: sbom format not recognized #2557
Comments
|
Thanks @abuhurraira for the bug report: What do the contents of the file look like for each SBOM file? I want to try and track down if it's an issue with the tools themselves on windows or if the directory being scanned is producing some kind of error that syft cannot get through. |
|
sbom.cdx.json This is the file in CycloneDx format. Please check and let me know if there's an issue with the file. |
|
Hey @abuhurraira, I downloaded and tried the SBOM you provided, and I do not receive the error you mentioned. Is there an issue with file encodings when using file redirection Could you try to output the file directly, using |
What happened:
When I run Grype to scan my SBOM file generated by Syft, I consistently receive the following error:
ERROR failed to catalog: unable to decode sbom: sbom format not recognized
I have attempted to generate the SBOM in multiple formats—including SPDX JSON, CycloneDX JSON, and plain JSON—but Grype fails to recognize any of these formats. I have validated the generated SBOM files using online validators for SPDX and CycloneDX, and they appear to be correctly structured.
What you expected to happen:
I expected Grype to successfully parse and catalog the SBOM file, identifying the list of packages and dependencies so that it can scan them for vulnerabilities.
Generate the SBOM using Syft:
For SPDX JSON format:
syft dir:. -o spdx-json > sbom.jso
For CycloneDX JSON format:
syft dir:. -o cyclonedx-json > sbom.json
For plain JSON format:
syft dir:. -o json > sbom.json
Run Grype on the SBOM file:
grype sbom:./sbom.json
Grype Version: 0.90.0
Syft Version: 1.21.0
Operating System: Windows 11 / Powershell PsVersion: 5.1.22621.4391
The text was updated successfully, but these errors were encountered: